v1who global information security policy november 2005-1
TRANSCRIPT
information technology & telecommunications department
general management
WHO Global
Information Security
Policy and guidelines November 2005
November 2005
Policy and procedures
i
Table of Contents I. Overview ..................................................................................................................... 1
I.1 Scope ........................................................................................................1
I.2 Policy Framework ....................................................................................1
II. Information Security Policy................................................................................... 3
II.1 Awareness ................................................................................................3
II.2 Responsibility...........................................................................................3
II.3 Response ..................................................................................................3
II.4 Ethics ........................................................................................................3
II.5 Risk assessments ....................................................................................3
II.6 Information security design and implementation..................................4
II.7 Information security management..........................................................4
II.8 Reassessment ..........................................................................................4
III. Implementing Guidelines....................................................................................... 5
III.1 Awareness ................................................................................................5
III.2 Responsibility...........................................................................................5
III.3 Response ..................................................................................................8
III.4 Ethics ........................................................................................................8
III.5 Risk assessments ....................................................................................8
III.6 Information security design and implementation..................................9
III.7 Information security management..........................................................9
III.8 Reassessment ........................................................................................11
Acknowledgements.......................................................................................12
Annex A: Sample Technical and End-User Policy Domains......................13
November 2005
Policy and procedures
1
I. Overview 1. The security (confidentiality, integrity and availability) of information, and associated systems and
networks, is a critical business requirement of WHO. In order to meet this requirement, I, the Director-General, endorse this information security policy as the highest level statement on information security. All owners, custodians and users of information, and associated systems and networks, throughout the organization, should read and abide by this policy.
"The aim of the WHO Global Information Security Policy is to provide senior management with an effective capacity to protect the World Health Organization's worldwide information assets".
2. Availability and integrity of information is a vital component of the WHO's business operations. The WHO's mission, "the attainment by all peoples of the highest possible level of health", is dependant on the ability to source and manage information and disseminate it when and where required. While WHO as a public health organization has a mandate to share the knowledge, some information held by the organization is internal and sensitive and cannot be shared.
3. The WHO Global Information Security Policy and Implementing Guidelines provides a
framework to manage the risk of compromise and support business continuity of WHO's critical information assets and resources. The guidelines formalize the organization’s information security capability and forms part of the WHO's corporate governance for managing ongoing risk to WHO's critical assets and reputation.
4. The WHO Global Information Security Policy and Implementing Guidelines are developed in
accordance with international standards and best practices. I.1 Scope 5. WHO Global Information Security Policy and Implementing Guidelines cover all WHO
information and communication assets. This includes online and offline IT systems, networks, databases, communications systems (such as phones and mobile devices), conferencing systems, managed or hosted services, applications, and documents.
6. All WHO staff and consultants have the responsibility to respect and comply with the WHO
Global Information Security Policy and associated implementing guidelines, technical and end-user policies.
I.2 Policy Framework 7. The WHO Global Information Security Policy provides a framework for protecting WHO's
global information assets and services. "Protection" is defined as acceptable management of risks to reputation, availability, confidentiality, integrity and accountability.
8. The information security policy framework used within WHO is described in Figure 1 below.
The top-down approach is defined by a policy statement (“WHO Global Information Security Policy”) and WHO Global Information Security Implementing Guidelines. The Implementing Guidelines expands on the information security policy by defining the lifecycle for information security at WHO encompassing information security policy development, assessment, review and education, and the WHO Information Security Management System
November 2005
WHO Global Information Security
2
(ISMS). Technical and end-user policies are issued to address more specific areas of risk to WHO assets.
Policy Framework
Global
Information Security Policy
Global Information Security
Implementing Guidelines
and ISMS (*)
Information Security
Technical Policy
Technical Policies
InformationSecurity
User Policy
End User Policies
Figure 1 - WHO Information Security Policy Framework
Examples: Network and Communications Security Enterprise Applications Security Data Access Security
Examples: Acceptable Use Policy; Email Policy; Password Policy
Industry standards and practices
(*) ISMS: Information Security Management System (ref. ISO27001 and ISO17799)
November 2005
Policy and procedures
3
II. Information Security Policy II.1 Awareness 9. All WHO staff, contractors, consultants and business units must be aware of the need
for information security and what they can do to enhance security. 10. Staff and external organizations accessing WHO information systems must be familiar with
the WHO Information Security Policy and its requirements.
II.2 Responsibility 11. All WHO staff and business units are explicitly responsible for information security.
12. WHO staff and business units depend upon interconnected local and global information
systems and networks and should understand their responsibility for the security of those information systems and networks. The WHO Chief Information Security Officer (CISO) is charged with responsibility for information security. He/She has the mandate and authority to assist WHO staff and business units to address their responsibility and comply with this information security policy and associated information security policies, standards and guidelines.
II.3 Response 13. All WHO staff and business units must act in a timely and co-operative manner to
prevent, detect and respond to security incidents. 14. A solid information security monitoring and incident response capacity is important and will
be implemented throughout the organization, in addition to effective prevention measures, since no information security protection or prophylactic schemes are perfect. It is the duty of all WHO staff, consultants, contractors and business units to report any violation of the WHO Information Security Policy to the CISO.
II.4 Ethics 15. All WHO staff and business units must respect the legitimate interests of others and
the organization. 16. Ethical and acceptable use of information, and associated systems and networks, must be
respected and strictly maintained by all WHO staff and business units. II.5 Risk assessments 17. All WHO staff and business units should support the conduct of risk assessments. 18. Risk assessment allows determination of the acceptable level of risk and assists the selection of
appropriate controls to manage the risk of potential harm to information systems and networks in the light of the nature and importance of the information to be protected. The CISO is charged with the mandate and authority to implement a security program, which ensures that periodical and timely information security assessment of critical WHO information systems and networks are conducted throughout the organization.
November 2005
WHO Global Information Security
4
II.6 Information security design and implementation 19. All WHO staff and business units must incorporate information security as an
essential element of information systems and network design and implementation. 20. The CISO must be involved at the earliest stages of WHO information systems and networks
development. Security design and architecture must be incorporated into all phases of information systems and networks life cycle, i.e. architectural design, system design, implementation, testing, maintenance and replacement.
II.7 Information security management 21. All WHO staff and business units should adopt a comprehensive approach to security
management. 22. The information security management process consists of the cycle of PLAN (policy, assess,
chose security controls), DO (operate controls), CHECK (check effectiveness), and ACT (correct and improve). WHO Information Security Policy defines the formal information security management process to be applied in maintaining and enhancing security of all critical information systems and networks throughout WHO.
II.8 Reassessment 23. All WHO staff and business units must support the review and reassessment of
information systems and networks, and make appropriate modification to security policies, practices and procedures as determined by the CISO.
24. New and changing threats and vulnerabilities are continuously discovered. All owners,
custodians and users of information, and associated systems and networks at WHO, must accept the CISO's ongoing review, reassessment and recommendations on all aspects of security to deal with evolving risks.
November 2005
Policy and procedures
5
III. Implementing Guidelines III.1 Awareness
All WHO staff, contractors, consultants and business units must be aware of the need for information security and what they can do to enhance security.
25. The information security awareness and training program will be maintained and conducted
jointly by the Chief Information Security Officer ("CISO"), offices and departments responsible for Information Technology and those responsible for staff training. The program will include a local awareness component delivered in conjunction with Designated Information Security Officers (described in paragraphs 37-40).
26. The program covers:
a) Staff briefing on information security at WHO; b) Communication of early-warning, advisory and general information; c) Awareness campaign such as posters, mail drop, and classifieds; d) InfoSec Home Page Web site; e) InfoSec Forum and Workshops; f) End-user policy guide and Q & A distributed to new staff and external consultants
or vendors; g) Any other expert presentations or material that is deemed necessary by information
security staff, training group or management.
27. Key awareness areas to be covered include: a) Program existence and mandate; b) The requirement to consult CISO for all new or revised projects; c) Budgeting and requirement for security assessments; d) Promotion of new monitoring initiatives; e) Promotion of information security policy, standards and end user policies;
III.2 Responsibility
All WHO staff and business units are explicitly responsible for information security.
Staff, Consultants, Contractors and Service Providers 28. As part of "WHO Condition of Employment"(and consultant or supplier terms of contract),
staff members will be required to agree in writing to compliance with the WHO Information Security Policy (and end user policies). Written copies of end user policies will be provided at the time of commencement of employment or work for WHO and will be posted on the Organization’s Intranet.
29. Individuals are responsible and accountable for complying with this policy for information
under their control. The ultimate responsibility for information security rests with the owners of the information.
30. It is the responsibility of project managers and their staff to ensure that any vendors or service
providers working with WHO agree to the WHO Information Security Policy.
November 2005 6
WHO Global Information Security
31. Failure to comply with WHO information security policies will result in disciplinary action being taken against an individual or entity contracted by the organization. This action may include requiring ongoing compliance measures, removal of access, or for serious offences, termination of employment or contract or other legal measures.
Chief Information Security Officer (Global Function) 32. The Chief Information Security Officer ("CISO") assesses risks globally to WHO assets, and
ensures senior management is aware of their current risk profile. Through a combination of policy and technical strategies, the CISO is able to reduce and monitor risks defined by management as unacceptable. This ongoing process is designed to assure protection of critical WHO assets and provide management with a clear understanding of their risk position.
33. The global CISO function must be funded to achieve its objectives. Funding is required for
security hardware, software, personnel and service costs directly related to global strategies and services for protecting WHO's information, IT systems, reputation and also regulatory compliance.
34. The CISO is responsible for:
a) Development of global policies in conjunction with management and G-WG-infoSec;
b) In-depth information security assessment and review; c) Continuous monitoring, surveillance and compliance; d) Adoption of global protection strategies; e) Awareness and training program (described in paragraphs 9-10); f) Supporting business units, departments and major offices to develop local policy
through the provision of a global information security policy framework. 35. The CISO provides proactive global leadership and advocacy of information security issues
within WHO. 36. The CISO is an independent global entity with a reporting channel to IT Governance, to
ensure collective compliance with WHO Global Information Security Policy. Designated Information Security Officers (DISO, Major Office Function) 37. Each major office (including HQ, Regions and IARC) will have a designated information
security officer. Each Designated Information Security Officer will assist the CISO to implement the Global Information Security Policy, perform assessment and compliance functions within their Office, and develop office specific information security policies and controls.
38. The designated information security officer may be a specialized information security
professional, or a member of staff with responsibility for major office information security controls such as policies, information security self-assessment, firewalls, virus protection, and application security. He/She has the responsibility to report to the CISO on the compliance of each major office and respective country office with the WHO Global Information Security Policy. He/She will also oversee the implemented information security controls to ensure information security and integrity is maintained (such as patches) to agreed levels. Designated Information Security Officers will receive advisories from CISO and also receive updates from specialized monitoring systems to assist them in their information security function.
November 2005 7
policy and procedures
39. The DISO function must be funded to achieve its objectives. Funding is required for security hardware, software, personnel and service costs directly related to major office global policy compliance and operational services for protecting WHO's regional information, IT systems, reputation and also local regulatory compliance.
40. Each Designated Information Security Officer is responsible for:
a) Development of local policies and procedures within the framework of the WHO Global Information Security Policy;
b) Managing vulnerabilities; c) Raising local staff awareness by developing local awareness program (described in
paragraphs 9-10); d) Maintaining local control systems, e.g. anti-malware (virus/worm, SPAM,
spyware, phishing); e) Security threats to Internet based databases, web sites, e-mail servers, etc. f) Report annual self assessment of major office compliance with WHO Global
Information Security Policy. CISO will perform tri-annual formal assessment of compliance.
Global Working Group on Information Security 41. The Global Working Group on Information Security (“G-WG-InfoSec”) consists of the
CISO, DISOs and other nominated information security specialists from all of the WHO major offices, with management and technical responsibility for information security. The G-WG-InfoSec facilitates information security collaboration and agreement between the CISO and all of the WHO major offices, fosters information security awareness and leadership at all levels of the organization, and provides a review and consensus mechanism for new information security policy and standards development.
Global Information Security Governance 42. The Global Information Security Governance group provides executive oversight and
direction to the global information security function within the organization. 43. Membership includes the CISO, ICT leadership from HQ, Regions, IARC, GSM and also
ADG/GMG. 44. The Global Information Security Governance group will meet annually during the ICT Global
Management Team meeting. The agenda will include:
a) Annual report by the CISO on the performance and outcomes of the implementation of the WHO Global Information Security Policy.
b) Discussion of upcoming work plan c) Providing guidance on the resources required to meet program objectives
Management Responsibility 45. Executive Management bears the responsibility for ensuring strong support for the WHO
Global Information Security Policy and Implementing Guidelines, and the CISO function, including providing adequate resources to maintain the information security controls needed to manage risks to organizational information.
November 2005 8
WHO Global Information Security
46. WHO staff and business units depend upon interconnected local and global information systems and networks and should understand their responsibility for the security of those information systems and networks. The WHO Chief Information Security Officer (CISO) is charged with responsibility for information security. He/She has the mandate and authority to assist WHO staff and business units to address their responsibility and comply with this information security policy and associated information security policies, standards and guidelines.
III.3 Response
All WHO staff and business units must act in a timely and co-operative manner to prevent, detect and respond to information security incidents.
47. The CISO provides a general incident response strategy for WHO, and for incidents of a
critical nature, CISO can leverage incident response advisory and forensic services provided by external experts.
The CISO must be contacted for any known or perceived breach of information security at WHO globally.
48. The DISO will monitor critical assets, including automated monitoring, to continually assess
compliance with WHO Global Information Security Policy and risk levels to WHO and will escalate breaches of the information security policy to the CISO using procedures and thresholds agreed to through the G-WG-InfoSec. This is to ensure protection strategies are effective, and to enable accurate reporting to management of the current corporate risk profile.
49. Prevention may also be included with the monitoring function, to prohibit non-compliant
systems from affecting WHO assets. III.4 Ethics
All WHO staff and business units must respect the legitimate interests of others and the organization.
50. CISO will provide policy and promote awareness on the ethical use of WHO information
assets. 51. All staff have a responsibility to act morally and ethically when accessing and using WHO
information assets. This includes maintaining confidentiality and privacy of information where required, and ensuing compliance with regulatory and legal obligations.
III.5 Risk assessments
All WHO staff and business units should support the conduct of risk assessments. 52. The CISO will perform risk assessments to determine key WHO assets and the level of risk to
those assets. This assessment forms a critical part of the WHO Global Information Security Policy and the CISO’s mandate to assure protection of key WHO assets. Risk assessments also enable the CISO to measure the effectiveness of information security policy and technical strategies and whether additional measures are required.
53. A protection plan will be jointly developed with and presented to asset owners after
November 2005 9
policy and procedures
completion of a risk assessment. Owners will take all reasonable steps to implement this protection plan.
54. The CISO, in consultation with G-WG-InfoSec and the business owners of critical
information assets, will determine the schedule for information assets to undergo risk assessment.
55. Risk assessment outcomes and subsequent protection plans will be developed according to the
WHO’s risk position. The risk position will be determined by management for particular assets under their control, and by Senior Management for the overall WHO risk position.
III.6 Information security design and implementation
All WHO staff and business units must incorporate information security as an essential element of information systems and network design and implementation.
56. Projects, departments, vendors or managed service providers that are planning, developing or
deploying new or revised information assets for WHO must be aware of information security policies, standards and procedures that affect their asset(s).
57. Consultation with the CISO is mandatory during the asset design phase to ensure
information security is appropriately considered and budgeted for. Any subsequent architectural or implementation decisions made by developers or management must be documented and auditable.
58. All new WHO applications (web or otherwise) and ICT services will be covered by the WHO
Global Information Security Policy and associated policies and standards. Technical staff and application developers must ensure they are familiar with WHO information security policy, standards and procedures affecting the assets under their control. A timetable for application of the WHO Information Security Policy to pre-existing applications will be determined by the CISO in consultation with the G-WG-InfoSec.
III.7 Information security management
All WHO staff and business units should adopt a comprehensive approach to information security management.
59. Central to the WHO’s Information Security Management System (ISMS) is the requirement
for business units to prove or certify their key information assets are compliant with organization’s information security policy. This ensures the CISO is consulted during asset design or review phases.
60. The CISO’s work is defined by a information security management lifecycle that incorporates
strong quality assurance measures and performance metrics, to ensure results remain accurate. This lifecycle process is defined in international standards, and amended for adoption within the WHO. The process explains how information security management is implemented at WHO. The PLAN, DO, CHECK, ACT model (shown below) ensures completeness in the approach to information security within WHO, and also ensures a quality process that is continually being refined.
November 2005 10
WHO Global Information Security
DO • Implement preventive plans • Operate security controls • Promptly detect and respond
to incidents • Ensure staff are security
aware, trained and competent• Manage necessary resources
CHECK • Ensure security controls are
in place and are achieving objectives
• Review residual risk levels • Review security processes • Determine metrics • Check monitoring and
response capacity • Leaning from others • Internal ISMS audit • Management review
ACT • Corrective action • Preventive action • Improvements
e.g. o Improve security processes o Refine risk mitigation plans o Develop and refine policy o New security controls
PLAN • Determine the scope of ISMS • Develop ISMS policy • Conduct risk assessment • Develop risk treatment plan • Select security objectives and
controls • Justify selection of controls
against risk assessment (statement of applicability)
Information Security Controls
Information Security Management System
(ISMS) cycle* (ref.ISO/IEC27001:2005)
(*): Domains of Information Security Controls and Best Practices, as defined by ISO/IEC 17799:2005:
• Information cecurity policy; • Organization of information security; • Asset management; • Human resources for information security; • Physical and environmental security; • Communications and operations management; • Access control; • Information systems acquisition, development and maintenance; • Information security incident management; • Business continuity management; • Compliance
Specific control measures include but are not limited to:
• Governance, Technical and End-User Policies; Standards and Reference Architecture; • Auditing and Compliance Assessment; Certification; • Vulnerability Management; Anti-Malware (Virus, Worms, Trojan horses, SPAMS, spyware) Systems; • Access-control Enforcement (firewalls/IPS, authentication, authorization, accounting systems, etc.); • Monitoring, Surveillance and Response; Incident Response Teams; • Awareness and Training Programs
November 2005 11
policy and procedures
III.8 Reassessment All WHO staff and business units must support the review and reassessment of information systems and networks, and make appropriate modification to information security policies,
practices and procedures as determined by the CISO.
61. The CISO will perform regular reassessment and compliance assessments of WHO information assets to ensure the Organization's risk profile is accurate and risk is minimized.
62. WHO Information Security Management System will be continuously reviewed to provide quality assurance and alignment with industry best practices and current threat profiles. The CISO will commit to ongoing training to ensure the implementation of the WHO Global Information Security Policy keeps pace with emerging threats and technologies.
63. WHO information security policies and procedures will be reassessed and updated progressively to ensure they keep pace with changing security requirements and new information security threats.
November 2005 12
WHO Global Information Security
Acknowledgements
1. ISO/IEC27001, Information Technology - Information Security Management System – Requirements (October 2005).
2. ISO/IEC17799, Information Technology — Code of Practice for Information Security
Management (June 2005) 3. ACSI33, Australian Government Information and Communications Technology Security
Manual, Draft Version (January 2005) 4. Canavan, S., An Information Security Policy Development Guide for Large Companies,
SANS Institute (November 2004). 5. Guel, Michele, A Short Primer for Developing Security Policies, SANS Institute (2001) 6. Weise, J and Martin, C. Data Security Policy - Structure and Guidelines, SUN Microsystems
Inc. (December 2001). 7. Jarmon, D. A Preparation Guide to Information Security Policies, SANS Institute (2002). 8. Creating, Implementing and Managing the Information Security Lifecycle, Internet Security
Systems (ISS) (2000). 9. E-security begins with Sounds Security Policies, Symantec Corporation (2001). 10. OECD Guidelines for the Security of Information Systems and Networks – Towards a
Culture of Security, (OECD) (2002). 11. RFC2196, Site Security Handbook, Network Working Group IETF (September 1997). 12. Computer Security Resource Centre, National Institute of Standards and Technology, US
Federal Government
November 2005 13
policy and procedures
Annex A: Sample Technical and End-User Policy Domains Network and Communication Systems Security
� High Security LAN Architecture (DMZ) � Firewall � Intrusion Detection and Prevention System
(IDS/IPS) � Global IP addressing � Domain Name System � Electronic Messaging � Mailing List � Instant Messaging � Anti-Malware (virus, worm, Trojan horses,
spyware) � Wireless Network � Internet Cafe � Virtual Private Network (VPN) and Remote
Access � File Transfer and Sharing � Operating systems � Printing
� Telephone PBX � Mobile Phones � Video Conference � IP Telephony � FAX � Multimedia
� Network Management � Traffic Monitoring � Bandwidth Management � Password Management � Patch Management � Configuration Management � Asset Management � Log Management
� Configuration Backup and Restoration � Systems Disaster Recovery and Contingency
Planning � Insurance (Systems damage or Services
interruption)
Enterprise Applications Security � Web Applications � ERP (GSM) � Intranet � Extranet � Internet (www.who.int) � Collaboration and Knowledge Sharing Tools � Telecommuting and Home Computing
� Data Backup and Restoration � Data Disaster Recovery and Contingency
Planning � Insurance (Data loss)
Data Access Security � Data Classification � Identity Management � Authentication � Authorization and Access Control � Encryption � Digital signatures � Certificate Management � Key Management
Physical Security
� Building Access � Controlled Area Access � Equipment Protection � Housekeeping � Water Protection � Fire Protection � Air Conditioning and Electronic Power � Insurance (Site destruction or Equipment
damage)
End-User Policy Booklet
� Security Awareness; � Acceptable Use � Password strength, sharing and changing � Email Security � Remote Access and use of home systems � Locking and logging out of systems � Acceptance of systems being audited and
monitored � Data classification standards � Transmission and storage of WHO
information � Strong Authentication for the ERP